Skip to main content

Session Fixation

295 CVEs product

Monthly

CVE-2026-14609 LOW Monitor

Session fixation in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 enables remote attackers to pre-set a known session identifier in a victim's browser, then hijack the authenticated session after the victim logs in. The CVSS 4.0 score of 2.9 reflects limited impact scope (low confidentiality, integrity, and availability) combined with high attack complexity, though a public exploit has been released (E:P). No CISA KEV listing indicates no confirmed widespread active exploitation at time of analysis.

Session Fixation Information Disclosure Cet Automated Grading System With Ai Predictive Analytics
NVD VulDB
CVSS 4.0
2.9
EPSS
0.3%
CVE-2026-13707 NONE Awaiting Data

Session fixation in the Wikimedia Foundation OAuth MediaWiki extension (src/Backend/MWOAuthServer.php) allows a network-accessible, low-privileged attacker to manipulate the OAuth authorization handshake so that a victim's authentication binds to an attacker-controlled session identifier. All four actively maintained release branches are affected through versions 1.46.0, 1.45.4, 1.44.6, and 1.43.9. No public exploit or CISA KEV listing exists at time of analysis; however, the 'Information Disclosure' tag applied to this CVE creates tension with the vendor-supplied CVSS 4.0 zero-impact scoring and warrants independent verification.

Session Fixation Information Disclosure PHP Oauth
NVD VulDB
EPSS
0.3%
CVE-2026-56224 MEDIUM PATCH This Month

Session fixation in the Capgo cloud console login endpoint (console.capgo.app/login) allows unauthenticated remote attackers to force victims into attacker-controlled sessions by crafting malicious URLs containing attacker-owned tokens. Versions before 12.128.2 silently accept access_token and refresh_token as URL query parameters and authenticate the user without confirmation, bypassing normal login flows. Tokens passed via URL are additionally exposed in browser history, server access logs, and HTTP Referer headers, creating secondary information-disclosure risk. No public exploit code and no CISA KEV listing exist at time of analysis.

Session Fixation Information Disclosure Capgo
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-35095 MEDIUM PATCH This Month

Session fixation in KTM System e-BOK (an online customer service portal) enables an attacker to preset a session identifier in a victim's browser before authentication, which the application then retains unchanged after successful login. Because the server accepts a client-supplied cookie value and never regenerates it at the authentication boundary, an attacker who controls the initial session token can hijack the victim's fully authenticated session. A patch was published by KTM System in June 2026; no public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Session Fixation Information Disclosure E Bok
NVD VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-56425 CRITICAL PATCH Act Now

Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijacking, session fixation, CSRF/replay against the OAuth callback, plaintext credential exposure over non-HTTPS redirect URIs, and log injection. The plugin reused the PHP session_id() as the OAuth state parameter, never rotated the session ID after login, did not enforce HTTPS on the redirect URI, and logged attacker-controlled GET parameters verbatim. No public exploit identified at time of analysis, but an upstream fix is available in MISP commit 146bc40.

Session Fixation PHP CSRF Microsoft Misp
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-12581 HIGH This Week

Session fixation in Digiwin EasyFlow .NET allows unauthenticated remote attackers to pre-set a victim's session identifier and hijack the authenticated session once the victim logs in, inheriting the victim's privileges. No public exploit identified at time of analysis, but the CVSS 4.0 score of 7.7 and HIGH impact across confidentiality, integrity, and availability mark this as a meaningful risk for organizations using the workflow platform. The flaw is tracked under CWE-384 and was disclosed via TWCERT, with no specific patched version cited in the provided references.

Information Disclosure Session Fixation Easyflow Net
NVD
CVSS 4.0
7.7
EPSS
0.3%
CVE-2026-41839 MEDIUM PATCH This Month

Session fixation in Spring Framework's WebFlux reactive stack (versions 5.3.x through 7.0.x) enables a remote attacker to hijack an authenticated user's session by leveraging a compromised subdomain - typically via cross-site scripting - to plant a known session ID and exchange it for the victim's authenticated session post-login. The attack is classified as CWE-384 and requires both a prior subdomain compromise and user interaction, placing real-world exploitability well below the headline concern for most deployments. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS Session Fixation Java Spring Framework
NVD HeroDevs VulDB
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-11335 LOW POC Monitor

Session fixation in tittuvarghese CollegeManagementSystem enables remote attackers to hijack authenticated user sessions by pre-setting a session identifier via the UserAuthData argument passed to session_start() in /login-form.php. Successful exploitation requires a victim to complete login through an attacker-crafted URL, granting the attacker access to the victim's authenticated session with partial confidentiality, integrity, and availability impact (C:L/I:L/A:L). A publicly available exploit exists via a published GitHub issue, but no patch has been released and the maintainer has not responded to responsible disclosure.

PHP Information Disclosure Session Fixation
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-67446 CRITICAL Act Now

Authentication bypass in Neterbit NW-431F routers running firmware 20241014-IR03 and earlier allows remote unauthenticated attackers to gain administrative access by simply setting a session cookie value to a predictable string such as 'admin'. The CVSS 9.8 rating reflects trivial network exploitability with full confidentiality, integrity, and availability impact, and a public proof-of-concept exists in the referenced GitHub repository, though the issue is not currently listed in CISA KEV.

Authentication Bypass Session Fixation
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-33384 MEDIUM This Month

Session fixation in QuickCMS (OpenSolution) allows an attacker to pre-set a victim's session identifier before the victim authenticates, and because the application fails to regenerate the session ID upon login, the attacker can subsequently hijack the fully authenticated session. All QuickCMS 6.8 deployments lacking the patch published on 2026-05-15 are vulnerable. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the attack requires no attacker privileges and only passive user interaction, making targeted abuse realistic wherever attacker session pre-positioning is feasible.

Information Disclosure Session Fixation
NVD
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-48545 PyPI HIGH PATCH GHSA This Week

Cross-Space session fixation in Gradio before 6.15.0 lets an attacker who controls any Hugging Face Space poison a process-wide httpx.AsyncClient shared by the framework's /proxy= reverse-proxy endpoint. Because that single client keeps one cookie jar, a Set-Cookie header returned by a malicious upstream Space is stored and automatically replayed on every subsequent proxied request to sibling *.hf.space URLs, allowing the attacker to fix a parent-domain cookie across all users of the same Gradio deployment. SSVC rates exploitation as proof-of-concept with total technical impact; the issue is not in CISA KEV and is fixed in release 6.15.0 (GHSA-2mr9-9r47-px2g).

Code Injection Session Fixation Gradio
NVD GitHub
CVSS 4.0
7.6
EPSS
0.0%
CVE-2026-43827 Maven MEDIUM PATCH This Month

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.

Session Fixation Apache Information Disclosure
NVD VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-41613 HIGH PATCH Exploit Unlikely This Week

Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.

Authentication Bypass Session Fixation
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-30808 HIGH This Week

Session fixation in Pandora FMS versions 777-800 enables session hijacking when attackers supply crafted session IDs to users. Successful exploitation grants attackers complete access to victim user sessions with high confidentiality and integrity impact. No public exploit code identified at time of analysis, though attack complexity is low with network-based delivery requiring only user interaction (CVSS 7.6).

Session Fixation Information Disclosure
NVD
CVSS 4.0
7.6
EPSS
0.0%
CVE-2025-65415 MEDIUM This Month

Session fixation vulnerability in docuFORM Managed Print Service Client 11.11c allows unauthenticated remote attackers to hijack user sessions via the login page, enabling unauthorized access to application functions and potential disclosure of sensitive print job data. The vulnerability requires user interaction (clicking a malicious link) and affects confidentiality and integrity with a CVSS score of 5.4. No public exploit code or active exploitation has been confirmed at the time of analysis.

Session Fixation Information Disclosure
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-44553 PyPI HIGH PATCH GHSA This Week

Privilege escalation in Open WebUI ≤0.8.12 allows demoted administrators to retain elevated access to collaborative documents via stale Socket.IO sessions. When an admin user is demoted or deleted, their active WebSocket connection preserves cached admin privileges indefinitely through heartbeat mechanisms, enabling unauthorized read/write access to any user's notes. Official patch released in version 0.9.0 addresses the session invalidation gap. CVSS 8.1 (High) with network attack vector and low complexity; no public exploit identified at time of analysis.

Authentication Bypass Python Session Fixation
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-40010 Maven CRITICAL PATCH GHSA Act Now

Session fixation in Apache Wicket AuthenticatedWebSession allows remote unauthenticated attackers to hijack user sessions and escalate privileges by fixing session identifiers before authentication completes. Affects Wicket 8.0.0-8.17.0, 9.0.0-9.22.0, and 10.0.0-10.8.0. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability despite critical CVSS 9.1, suggesting this requires specific deployment conditions. Not listed in CISA KEV; no public POC identified at time of analysis. Apache has published vendor advisories with fix versions across all three major release branches.

Session Fixation Apache Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-46605 MEDIUM PATCH This Month

Dell PowerProtect Data Domain DD OS versions 8.4-8.5 contain a session fixation vulnerability allowing high-privileged remote attackers to hijack authenticated sessions and gain unauthorized access without requiring user interaction. CVSS 6.2 reflects the high-complexity attack surface (AC:H) offset by elevated attacker privileges (PR:H) and direct confidentiality/integrity impact; no public exploit or active exploitation has been identified at time of analysis.

Authentication Bypass Dell Session Fixation
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-31940 HIGH PATCH This Week

Session fixation in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 enables unauthenticated remote attackers to hijack user sessions via main/lp/aicc_hacp.php. User-controlled request parameters directly manipulate PHP session IDs before application bootstrap, allowing attackers to force victims into attacker-controlled sessions. Successful exploitation grants high-severity access to confidential data and platform integrity. No public exploit identified at time of analysis.

PHP Information Disclosure Session Fixation
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33946 Ruby HIGH PATCH GHSA This Week

Session hijacking in the Model Context Protocol Ruby SDK (mcp gem) allows attackers to intercept Server-Sent Events streams by reusing valid session identifiers. The streamable_http_transport.rb implementation overwrites existing SSE stream objects when a duplicate session ID connects, silently disconnecting legitimate users and redirecting all tool responses and real-time data to the attacker. A proof-of-concept demonstration has been provided showing successful stream hijacking, where the attacker receives confidential tool call responses intended for the victim. Patch available per vendor advisory (release v0.9.2 per references).

Session Fixation Python Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-25101 MEDIUM PATCH This Month

Bludit versions prior to 3.17.2 allow attackers to fix a victim's session identifier before authentication, with the session ID persisting unchanged after successful login, enabling authenticated session hijacking via session fixation. The vulnerability affects all Bludit instances below version 3.17.2 and requires local access and user interaction to exploit. No public exploit code or active exploitation has been identified at the time of analysis, though the session fixation mechanism poses a moderate risk in multi-user or shared-access environments.

Information Disclosure Session Fixation
NVD GitHub
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-33757 Go HIGH PATCH This Week

Session fixation via remote phishing in OpenBao before 2.5.2 lets an unauthenticated attacker hijack a victim's identity when a JWT/OIDC auth role is configured with callback_mode=direct. Because direct mode skips any confirmation prompt and calls back straight to the API, an attacker initiates the auth flow, lures a victim into completing the login through a crafted URL, then polls the API to collect the OpenBao token that gets issued under the victim's identity. There is no public exploit identified at time of analysis, EPSS is low (0.06%, 19th percentile), and it is not in CISA KEV, though SSVC rates the technical impact as total.

Information Disclosure Session Fixation
NVD GitHub VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2025-55264 MEDIUM This Month

Session invalidation failure in HCL Aftermarket DPC versions up to 1.0.0 allows authenticated attackers to maintain active sessions after a password change, enabling persistent account takeover. An attacker who gains initial session access can continue to operate under a compromised account identity even after the victim resets their password, as the application fails to terminate pre-existing sessions upon credential modification. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass Session Fixation Aftermarket Dpc
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-33492 PHP HIGH GHSA This Week

AVideo, an open-source video platform, contains a session fixation vulnerability that allows attackers to hijack user sessions and achieve full account takeover. The flaw affects the AVideo Composer package (pkg:composer/wwbn_avideo) and stems from accepting arbitrary session IDs via URL parameters, bypassing session regeneration for specific endpoints, and disabled session regeneration during login. A public proof-of-concept exploit is available in the GitHub security advisory, and the vulnerability requires only low privileges (authenticated attacker) and user interaction (victim clicking a malicious link), making it highly exploitable.

Session Fixation PHP CSRF Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-70973 MEDIUM This Month

ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSESSIONID session cookie to unauthenticated users and does not regenerate the session identifier after successful authentication. [CVSS 4.8 MEDIUM]

Session Fixation Information Disclosure
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-24352 MEDIUM This Month

Session fixation vulnerability in PluXml CMS allows attackers to set session identifiers before authentication, enabling session hijacking after the victim logs in.

Information Disclosure Session Fixation
NVD VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-2177 MEDIUM POC This Month

SourceCodester Prison Management System 1.0 contains a session fixation vulnerability in its login component that allows unauthenticated remote attackers to hijack user sessions. Public exploit code exists for this vulnerability, which enables attackers to impersonate legitimate users and gain unauthorized access to the system. No patch is currently available.

Information Disclosure Session Fixation
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-7014 MEDIUM This Month

Session Fixation vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Session Hijacking.This issue affects Menu Panel: through 29012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. [CVSS 5.7 MEDIUM]

Information Disclosure Session Fixation
NVD VulDB
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-7015 MEDIUM This Month

Session Fixation vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Session Fixation.This issue affects QR Menu: before s1.05.12. [CVSS 5.7 MEDIUM]

Information Disclosure Session Fixation
NVD VulDB
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-65681 PyPI LOW Monitor

An issue was discovered in Overhang.IO (tutor-open-edx) (overhangio/tutor) 20.0.2 allowing local unauthorized attackers to gain access to sensitive information due to the absence of proper. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Tutor
NVD GitHub
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-37159 MEDIUM This Month

A vulnerability in the web management interface of the AOS-CX OS user authentication service could allow an authenticated remote attacker to hijack an active user session. Rated medium severity (CVSS 5.8), this vulnerability is low attack complexity. No vendor patch available.

Session Fixation Authentication Bypass Arubaos Cx
NVD
CVSS 3.1
5.8
EPSS
0.1%
CVE-2025-10228 HIGH This Week

Session hijacking against Rolantis Information Technologies Agentis prior to version 4.44 is possible because the application fails to regenerate session identifiers across authentication state changes, letting a remote attacker who can lure a victim into using an attacker-supplied session token take over the authenticated session. CVSS 8.8 reflects full confidentiality, integrity, and availability impact once hijacked, but no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Information Disclosure Session Fixation
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-59841 CRITICAL PATCH This Week

Flag Forge is a Capture The Flag (CTF) platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

CSRF Session Fixation Flagforge
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-4644 npm MEDIUM PATCH This Month

A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure
NVD GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-55668 Maven MEDIUM PATCH This Month

Session Fixation vulnerability in Apache Tomcat via rewrite valve.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Information Disclosure Session Fixation Apache Red Hat +1
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-8517 LOW POC PATCH Monitor

A vulnerability was detected in givanz Vvveb 1.0.6.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Session Fixation Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-49812 HIGH PATCH This Week

CVE-2025-49812 is an HTTP request smuggling/desynchronization vulnerability in Apache HTTP Server's mod_ssl that allows man-in-the-middle attackers to hijack HTTPS sessions by exploiting improper handling of TLS upgrades. Only Apache HTTP Server versions through 2.4.63 with 'SSLEngine optional' configurations are affected, enabling session hijacking with high confidentiality and integrity impact. The vulnerability requires network-level access and careful timing but does not require user interaction or privileges; upgrade to 2.4.64 (which removes TLS upgrade support entirely) is the recommended mitigation.

Apache TLS Session Fixation Http Server Red Hat +2
NVD
CVSS 3.1
7.4
EPSS
0.1%
CVE-2025-52557 HIGH This Week

CVE-2025-52557 is a stored/reflected XSS vulnerability in Mail-0's Zero email solution (version 0.8) that allows unauthenticated attackers to craft malicious emails containing unexecuted JavaScript code. When a victim opens the email in the web interface, the JavaScript executes in their browser context, enabling session hijacking and potential account takeover. The vulnerability has been patched in version 0.81, and exploitation requires user interaction (opening the email), making it a moderate-to-high severity issue suitable for rapid patching.

Information Disclosure XSS Session Fixation
NVD GitHub
CVSS 4.0
8.6
EPSS
0.1%
CVE-2025-45953 CRITICAL POC Act Now

A vulnerability was found in PHPGurukul Hostel Management System 2.1 in the /hostel/change-password.php file of the user panel - Change Password component. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Session Fixation PHP Hostel Management System
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2025-45949 CRITICAL POC Act Now

A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /loginsystem/change-password.php file of the user panel - Change Password component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Session Fixation PHP User Registration Login And User Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-42602 HIGH This Week

This vulnerability exists in Meon KYC solutions due to improper handling of access and refresh tokens in certain API endpoints of authentication process. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Session Fixation Authentication Bypass
NVD
CVSS 4.0
8.2
EPSS
0.6%
CVE-2025-28242 CRITICAL POC THREAT Emergency

Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session hijacking attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 11.5% and no vendor patch available.

Information Disclosure Session Fixation
NVD GitHub
CVSS 3.1
9.8
EPSS
11.5%
CVE-2025-28238 CRITICAL Act Now

Improper session management in Elber REBLE310 Firmware v5.5.1.R , Equipment Model: REBLE310/RX10/4ASI allows attackers to execute a session hijacking attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-49709 LOW Monitor

Internet Starter, one of SoftCOM iKSORIS system modules, allows for setting an arbitrary session cookie value. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Iksoris
NVD
CVSS 4.0
2.3
EPSS
0.1%
CVE-2025-0126 HIGH This Week

When configured using SAML, a session fixation vulnerability in the GlobalProtect™ login enables an attacker to impersonate a legitimate authorized user and perform actions as that GlobalProtect. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Paloalto
NVD
CVSS 4.0
8.3
EPSS
0.4%
CVE-2025-29928 HIGH PATCH This Week

authentik is an open-source identity provider. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Session Fixation Authentik
NVD GitHub
CVSS 3.1
8.0
EPSS
0.2%
CVE-2025-27661 CRITICAL Act Now

Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Session Fixation OVE-20230524-0004. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Vasion Print Virtual Appliance
NVD
CVSS 3.1
9.1
EPSS
0.2%
CVE-2025-1412 Go LOW PATCH Monitor

Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

Session Fixation Privilege Escalation Mattermost Server
NVD
CVSS 3.1
3.1
EPSS
0.1%
CVE-2024-49344 MEDIUM This Month

IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages with Watson Assistant chat feature enabled the application establishes a session when a user logs in and uses chat, but the chat session is still. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure IBM Session Fixation Openpages With Watson
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2022-40916 CRITICAL POC Act Now

Tiny File Manager v2.4.7 and below is vulnerable to session fixation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Session Fixation Tiny File Manager
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-42207 MEDIUM This Month

HCL iAutomate is affected by a session fixation vulnerability. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Session Fixation Dryice Iautomate
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2025-22216 MEDIUM This Month

A UAA configured with multiple identity zones, does not properly validate session information across those zones. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-24503 CRITICAL This Week

A malicious actor can fix the session of a PAM user by tricking the user to click on a specially crafted link to the PAM server. Rated critical severity (CVSS 9.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-24502 MEDIUM This Month

An improper session validation allows an unauthenticated attacker to cause certain request notifications to be executed in the context of an incorrect user by spoofing the client IP address. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation
NVD
CVSS 4.0
5.3
EPSS
0.1%
CVE-2024-56529 HIGH This Month

Mailcow through 2024-11b has a session fixation vulnerability in the web panel. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2024-57052 CRITICAL This Week

An issue in youdiancms v.9.5.20 and before allows a remote attacker to escalate privileges via the sessionID parameter in the index.php file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Session Fixation PHP Youdiancms
NVD GitHub
CVSS 3.1
9.8
EPSS
2.1%
CVE-2024-42171 MEDIUM This Month

HCL MyXalytics is affected by a session fixation vulnerability. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Session Fixation Dryice Myxalytics
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-42170 MEDIUM This Month

HCL MyXalytics is affected by a session fixation vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Session Fixation Dryice Myxalytics
NVD
CVSS 3.1
6.8
EPSS
0.2%
CVE-2024-13279 PHP CRITICAL PATCH This Week

Session Fixation vulnerability in Drupal Two-factor Authentication (TFA) allows Session Fixation.0.0 before 1.8.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Two Factor Authentication Drupal
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2024-56733 Ruby MEDIUM This Month

Password Pusher is an open source application to communicate sensitive information over the web. Rated medium severity (CVSS 5.7). No vendor patch available.

Authentication Bypass XSS Session Fixation
NVD GitHub
CVSS 3.1
5.7
EPSS
0.2%
CVE-2024-28144 MEDIUM This Month

An attacker who can spoof the IP address and the User-Agent of a logged-in user can takeover the session because of flaws in the self-developed session management. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Session Fixation Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2024-11317 CRITICAL Act Now

Session Fixation vulnerabilities allow an attacker to fix a users session identifier before login providing an opportunity for session takeover on a product. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Abb Session Fixation Information Disclosure Aspect Ent 2 Firmware Aspect Ent 256 Firmware +17
NVD
CVSS 4.0
9.3
EPSS
0.4%
CVE-2024-10318 MEDIUM This Month

A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Nginx Nginx Api Connectivity Manager Nginx Ingress Controller +2
NVD
CVSS 4.0
5.1
EPSS
0.3%
CVE-2024-23590 Maven CRITICAL PATCH Act Now

Session Fixation vulnerability in Apache Kylin.0.0 through 4.x. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Session Fixation Information Disclosure Kylin
NVD
CVSS 3.1
9.1
EPSS
0.6%
CVE-2024-48929 NuGet MEDIUM PATCH This Month

Umbraco is a free and open source .NET content management system. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Session Fixation Information Disclosure Umbraco Cms
NVD GitHub
CVSS 3.1
4.2
EPSS
0.2%
CVE-2024-10158 MEDIUM POC This Month

A vulnerability classified as problematic has been found in PHPGurukul Boat Booking System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Boat Booking System
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.6%
CVE-2024-8643 CRITICAL Act Now

Session Fixation vulnerability in Oceanic Software ValeApp allows Brute Force, Session Hijacking.0.0. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Valeapp
NVD VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2024-45368 HIGH This Week

The H2-DM1E PLC's authentication protocol appears to utilize either a custom encoding scheme or a challenge-response protocol. Rated high severity (CVSS 8.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure
NVD
CVSS 4.0
8.7
EPSS
0.3%
CVE-2024-42345 MEDIUM This Month

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP2). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Sinema Remote Connect Server
NVD
CVSS 4.0
5.3
EPSS
0.3%
CVE-2024-7341 Maven HIGH PATCH This Month

A session fixation issue was discovered in the SAML adapters provided by Keycloak. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Session Fixation Information Disclosure Keycloak Single Sign On Build Of Keycloak
NVD GitHub
CVSS 3.1
7.1
EPSS
1.7%
CVE-2024-37829 HIGH POC This Week

An issue in Outline <= v0.76.1 allows attackers to execute a session hijacking attack via user interaction with a crafted magic sign-in link. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Outline
NVD GitHub
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-38513 Go CRITICAL PATCH Act Now

Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions 2 and above. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Session Fixation Fiber
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-24552 MEDIUM This Month

A session fixation vulnerability in Bludit allows an attacker to bypass the server's authentication if they can trick an administrator or any other user into authorizing a session ID of their. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Session Fixation Bludit
NVD
CVSS 4.0
5.6
EPSS
0.4%
CVE-2024-25977 HIGH This Week

The application does not change the session token when using the login or logout functionality. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Session Fixation
NVD GitHub
CVSS 3.1
7.3
EPSS
0.6%
CVE-2024-2260 PyPI MEDIUM POC PATCH This Month

A session fixation vulnerability exists in the zenml-io/zenml application, where JWT tokens used for user authentication are not invalidated upon logout. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Authentication Bypass Session Fixation Zenml
NVD GitHub
CVSS 3.1
4.2
EPSS
0.4%
CVE-2024-30262 PHP HIGH PATCH This Week

Contao is an open source content management system. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity.

Session Fixation Information Disclosure Contao
NVD GitHub
CVSS 3.1
7.1
EPSS
0.5%
CVE-2024-31221 MEDIUM POC PATCH This Month

Sunshine is a self-hosted game stream host for Moonlight. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. Public exploit code available.

Session Fixation Information Disclosure Sunshine
NVD GitHub
CVSS 3.1
5.9
EPSS
0.5%
CVE-2024-2639 MEDIUM This Month

A vulnerability was found in Bdtask Wholesale Inventory Management System up to 20240311. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure
NVD VulDB
CVSS 3.1
4.3
EPSS
0.5%
CVE-2024-22250 HIGH This Week

Session Hijack vulnerability in Deprecated VMware Enhanced Authentication Plug-in could allow a malicious actor with unprivileged local access to a windows operating system can hijack a privileged. Rated high severity (CVSS 7.8). No vendor patch available.

Information Disclosure Session Fixation VMware Microsoft
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2024-24823 Maven MEDIUM PATCH This Month

Graylog is a free and open log management platform. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable.

XSS Session Fixation Graylog
NVD GitHub
CVSS 3.1
4.4
EPSS
0.4%
CVE-2024-23679 Maven CRITICAL PATCH Act Now

Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Information Disclosure Xp
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.8%
CVE-2023-50920 MEDIUM POC This Month

An issue was discovered on GL.iNet devices before version 4.5.0. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Session Fixation Gl Ax1800 Firmware Gl Axt1800 Firmware Gl Mt3000 Firmware +9
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2024-0351 LOW POC Monitor

A vulnerability classified as problematic has been found in SourceCodester Engineers Online Portal 1.0. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Engineers Online Portal
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2023-6913 HIGH This Week

A session hijacking vulnerability has been detected in the Imou Life application affecting version 6.7.0. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Imou Life
NVD
CVSS 3.1
8.1
EPSS
0.7%
CVE-2023-49804 npm HIGH PATCH This Week

Uptime Kuma is an easy-to-use self-hosted monitoring tool. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Session Fixation Authentication Bypass Dockge Uptime Kuma
NVD GitHub
CVSS 3.1
7.8
EPSS
0.3%
CVE-2023-48929 CRITICAL POC Act Now

Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Session Fixation System Sentinel Anyware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2023-46733 PHP MEDIUM PATCH This Month

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

PHP Information Disclosure Session Fixation Symfony
NVD GitHub
CVSS 3.1
6.5
EPSS
0.7%
CVE-2023-5309 CRITICAL Act Now

Versions of Puppet Enterprise prior to 2021.7.6 and 2023.5 contain a flaw which results in broken session management for SAML implementations. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Puppet Enterprise
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2023-0897 CRITICAL Act Now

Sielco PolyEco1000 is vulnerable to a session hijack vulnerability due to the cookie being vulnerable to a brute force attack, lack of SSL, and the session being visible in requests. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Polyeco500 Firmware Polyeco300 Firmware Polyeco1000 Firmware
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2023-45687 HIGH POC This Week

A session fixation vulnerability in South River Technologies' Titan MFT and Titan SFTP servers on Linux and Windows allows an attacker to bypass the server's authentication if they can trick an. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Session Fixation Microsoft Titan Mft Server Titan Sftp Server
NVD
CVSS 3.1
8.8
EPSS
1.2%
EPSS 0% CVSS 2.9
LOW Monitor

Session fixation in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 enables remote attackers to pre-set a known session identifier in a victim's browser, then hijack the authenticated session after the victim logs in. The CVSS 4.0 score of 2.9 reflects limited impact scope (low confidentiality, integrity, and availability) combined with high attack complexity, though a public exploit has been released (E:P). No CISA KEV listing indicates no confirmed widespread active exploitation at time of analysis.

Session Fixation Information Disclosure Cet Automated Grading System With Ai Predictive Analytics
NVD VulDB
EPSS 0%
NONE Awaiting Data

Session fixation in the Wikimedia Foundation OAuth MediaWiki extension (src/Backend/MWOAuthServer.php) allows a network-accessible, low-privileged attacker to manipulate the OAuth authorization handshake so that a victim's authentication binds to an attacker-controlled session identifier. All four actively maintained release branches are affected through versions 1.46.0, 1.45.4, 1.44.6, and 1.43.9. No public exploit or CISA KEV listing exists at time of analysis; however, the 'Information Disclosure' tag applied to this CVE creates tension with the vendor-supplied CVSS 4.0 zero-impact scoring and warrants independent verification.

Session Fixation Information Disclosure PHP +1
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Session fixation in the Capgo cloud console login endpoint (console.capgo.app/login) allows unauthenticated remote attackers to force victims into attacker-controlled sessions by crafting malicious URLs containing attacker-owned tokens. Versions before 12.128.2 silently accept access_token and refresh_token as URL query parameters and authenticate the user without confirmation, bypassing normal login flows. Tokens passed via URL are additionally exposed in browser history, server access logs, and HTTP Referer headers, creating secondary information-disclosure risk. No public exploit code and no CISA KEV listing exist at time of analysis.

Session Fixation Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Session fixation in KTM System e-BOK (an online customer service portal) enables an attacker to preset a session identifier in a victim's browser before authentication, which the application then retains unchanged after successful login. Because the server accepts a client-supplied cookie value and never regenerates it at the authentication boundary, an attacker who controls the initial session token can hijack the victim's fully authenticated session. A patch was published by KTM System in June 2026; no public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Session Fixation Information Disclosure E Bok
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijacking, session fixation, CSRF/replay against the OAuth callback, plaintext credential exposure over non-HTTPS redirect URIs, and log injection. The plugin reused the PHP session_id() as the OAuth state parameter, never rotated the session ID after login, did not enforce HTTPS on the redirect URI, and logged attacker-controlled GET parameters verbatim. No public exploit identified at time of analysis, but an upstream fix is available in MISP commit 146bc40.

Session Fixation PHP CSRF +2
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH This Week

Session fixation in Digiwin EasyFlow .NET allows unauthenticated remote attackers to pre-set a victim's session identifier and hijack the authenticated session once the victim logs in, inheriting the victim's privileges. No public exploit identified at time of analysis, but the CVSS 4.0 score of 7.7 and HIGH impact across confidentiality, integrity, and availability mark this as a meaningful risk for organizations using the workflow platform. The flaw is tracked under CWE-384 and was disclosed via TWCERT, with no specific patched version cited in the provided references.

Information Disclosure Session Fixation Easyflow Net
NVD
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Session fixation in Spring Framework's WebFlux reactive stack (versions 5.3.x through 7.0.x) enables a remote attacker to hijack an authenticated user's session by leveraging a compromised subdomain - typically via cross-site scripting - to plant a known session ID and exchange it for the victim's authenticated session post-login. The attack is classified as CWE-384 and requires both a prior subdomain compromise and user interaction, placing real-world exploitability well below the headline concern for most deployments. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS Session Fixation Java +1
NVD HeroDevs VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Session fixation in tittuvarghese CollegeManagementSystem enables remote attackers to hijack authenticated user sessions by pre-setting a session identifier via the UserAuthData argument passed to session_start() in /login-form.php. Successful exploitation requires a victim to complete login through an attacker-crafted URL, granting the attacker access to the victim's authenticated session with partial confidentiality, integrity, and availability impact (C:L/I:L/A:L). A publicly available exploit exists via a published GitHub issue, but no patch has been released and the maintainer has not responded to responsible disclosure.

PHP Information Disclosure Session Fixation
NVD VulDB GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authentication bypass in Neterbit NW-431F routers running firmware 20241014-IR03 and earlier allows remote unauthenticated attackers to gain administrative access by simply setting a session cookie value to a predictable string such as 'admin'. The CVSS 9.8 rating reflects trivial network exploitability with full confidentiality, integrity, and availability impact, and a public proof-of-concept exists in the referenced GitHub repository, though the issue is not currently listed in CISA KEV.

Authentication Bypass Session Fixation
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Session fixation in QuickCMS (OpenSolution) allows an attacker to pre-set a victim's session identifier before the victim authenticates, and because the application fails to regenerate the session ID upon login, the attacker can subsequently hijack the fully authenticated session. All QuickCMS 6.8 deployments lacking the patch published on 2026-05-15 are vulnerable. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the attack requires no attacker privileges and only passive user interaction, making targeted abuse realistic wherever attacker session pre-positioning is feasible.

Information Disclosure Session Fixation
NVD
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Cross-Space session fixation in Gradio before 6.15.0 lets an attacker who controls any Hugging Face Space poison a process-wide httpx.AsyncClient shared by the framework's /proxy= reverse-proxy endpoint. Because that single client keeps one cookie jar, a Set-Cookie header returned by a malicious upstream Space is stored and automatically replayed on every subsequent proxied request to sibling *.hf.space URLs, allowing the attacker to fix a parent-domain cookie across all users of the same Gradio deployment. SSVC rates exploitation as proof-of-concept with total technical impact; the issue is not in CISA KEV and is fixed in release 6.15.0 (GHSA-2mr9-9r47-px2g).

Code Injection Session Fixation Gradio
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.

Session Fixation Apache Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH Exploit Unlikely This Week

Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.

Authentication Bypass Session Fixation
NVD VulDB
EPSS 0% CVSS 7.6
HIGH This Week

Session fixation in Pandora FMS versions 777-800 enables session hijacking when attackers supply crafted session IDs to users. Successful exploitation grants attackers complete access to victim user sessions with high confidentiality and integrity impact. No public exploit code identified at time of analysis, though attack complexity is low with network-based delivery requiring only user interaction (CVSS 7.6).

Session Fixation Information Disclosure
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Session fixation vulnerability in docuFORM Managed Print Service Client 11.11c allows unauthenticated remote attackers to hijack user sessions via the login page, enabling unauthorized access to application functions and potential disclosure of sensitive print job data. The vulnerability requires user interaction (clicking a malicious link) and affects confidentiality and integrity with a CVSS score of 5.4. No public exploit code or active exploitation has been confirmed at the time of analysis.

Session Fixation Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Privilege escalation in Open WebUI ≤0.8.12 allows demoted administrators to retain elevated access to collaborative documents via stale Socket.IO sessions. When an admin user is demoted or deleted, their active WebSocket connection preserves cached admin privileges indefinitely through heartbeat mechanisms, enabling unauthorized read/write access to any user's notes. Official patch released in version 0.9.0 addresses the session invalidation gap. CVSS 8.1 (High) with network attack vector and low complexity; no public exploit identified at time of analysis.

Authentication Bypass Python Session Fixation
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Session fixation in Apache Wicket AuthenticatedWebSession allows remote unauthenticated attackers to hijack user sessions and escalate privileges by fixing session identifiers before authentication completes. Affects Wicket 8.0.0-8.17.0, 9.0.0-9.22.0, and 10.0.0-10.8.0. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability despite critical CVSS 9.1, suggesting this requires specific deployment conditions. Not listed in CISA KEV; no public POC identified at time of analysis. Apache has published vendor advisories with fix versions across all three major release branches.

Session Fixation Apache Information Disclosure
NVD VulDB
EPSS 0% CVSS 6.2
MEDIUM PATCH This Month

Dell PowerProtect Data Domain DD OS versions 8.4-8.5 contain a session fixation vulnerability allowing high-privileged remote attackers to hijack authenticated sessions and gain unauthorized access without requiring user interaction. CVSS 6.2 reflects the high-complexity attack surface (AC:H) offset by elevated attacker privileges (PR:H) and direct confidentiality/integrity impact; no public exploit or active exploitation has been identified at time of analysis.

Authentication Bypass Dell Session Fixation
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Session fixation in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 enables unauthenticated remote attackers to hijack user sessions via main/lp/aicc_hacp.php. User-controlled request parameters directly manipulate PHP session IDs before application bootstrap, allowing attackers to force victims into attacker-controlled sessions. Successful exploitation grants high-severity access to confidential data and platform integrity. No public exploit identified at time of analysis.

PHP Information Disclosure Session Fixation
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Session hijacking in the Model Context Protocol Ruby SDK (mcp gem) allows attackers to intercept Server-Sent Events streams by reusing valid session identifiers. The streamable_http_transport.rb implementation overwrites existing SSE stream objects when a duplicate session ID connects, silently disconnecting legitimate users and redirecting all tool responses and real-time data to the attacker. A proof-of-concept demonstration has been provided showing successful stream hijacking, where the attacker receives confidential tool call responses intended for the victim. Patch available per vendor advisory (release v0.9.2 per references).

Session Fixation Python Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Bludit versions prior to 3.17.2 allow attackers to fix a victim's session identifier before authentication, with the session ID persisting unchanged after successful login, enabling authenticated session hijacking via session fixation. The vulnerability affects all Bludit instances below version 3.17.2 and requires local access and user interaction to exploit. No public exploit code or active exploitation has been identified at the time of analysis, though the session fixation mechanism poses a moderate risk in multi-user or shared-access environments.

Information Disclosure Session Fixation
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Session fixation via remote phishing in OpenBao before 2.5.2 lets an unauthenticated attacker hijack a victim's identity when a JWT/OIDC auth role is configured with callback_mode=direct. Because direct mode skips any confirmation prompt and calls back straight to the API, an attacker initiates the auth flow, lures a victim into completing the login through a crafted URL, then polls the API to collect the OpenBao token that gets issued under the victim's identity. There is no public exploit identified at time of analysis, EPSS is low (0.06%, 19th percentile), and it is not in CISA KEV, though SSVC rates the technical impact as total.

Information Disclosure Session Fixation
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Session invalidation failure in HCL Aftermarket DPC versions up to 1.0.0 allows authenticated attackers to maintain active sessions after a password change, enabling persistent account takeover. An attacker who gains initial session access can continue to operate under a compromised account identity even after the victim resets their password, as the application fails to terminate pre-existing sessions upon credential modification. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass Session Fixation Aftermarket Dpc
NVD
EPSS 0% CVSS 7.3
HIGH This Week

AVideo, an open-source video platform, contains a session fixation vulnerability that allows attackers to hijack user sessions and achieve full account takeover. The flaw affects the AVideo Composer package (pkg:composer/wwbn_avideo) and stems from accepting arbitrary session IDs via URL parameters, bypassing session regeneration for specific endpoints, and disabled session regeneration during login. A public proof-of-concept exploit is available in the GitHub security advisory, and the vulnerability requires only low privileges (authenticated attacker) and user interaction (victim clicking a malicious link), making it highly exploitable.

Session Fixation PHP CSRF +1
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSESSIONID session cookie to unauthenticated users and does not regenerate the session identifier after successful authentication. [CVSS 4.8 MEDIUM]

Session Fixation Information Disclosure
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Session fixation vulnerability in PluXml CMS allows attackers to set session identifiers before authentication, enabling session hijacking after the victim logs in.

Information Disclosure Session Fixation
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SourceCodester Prison Management System 1.0 contains a session fixation vulnerability in its login component that allows unauthenticated remote attackers to hijack user sessions. Public exploit code exists for this vulnerability, which enables attackers to impersonate legitimate users and gain unauthorized access to the system. No patch is currently available.

Information Disclosure Session Fixation
NVD GitHub VulDB
EPSS 0% CVSS 5.7
MEDIUM This Month

Session Fixation vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Session Hijacking.This issue affects Menu Panel: through 29012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. [CVSS 5.7 MEDIUM]

Information Disclosure Session Fixation
NVD VulDB
EPSS 0% CVSS 5.7
MEDIUM This Month

Session Fixation vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Session Fixation.This issue affects QR Menu: before s1.05.12. [CVSS 5.7 MEDIUM]

Information Disclosure Session Fixation
NVD VulDB
EPSS 0% CVSS 3.3
LOW Monitor

An issue was discovered in Overhang.IO (tutor-open-edx) (overhangio/tutor) 20.0.2 allowing local unauthorized attackers to gain access to sensitive information due to the absence of proper. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Tutor
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM This Month

A vulnerability in the web management interface of the AOS-CX OS user authentication service could allow an authenticated remote attacker to hijack an active user session. Rated medium severity (CVSS 5.8), this vulnerability is low attack complexity. No vendor patch available.

Session Fixation Authentication Bypass Arubaos Cx
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Session hijacking against Rolantis Information Technologies Agentis prior to version 4.44 is possible because the application fails to regenerate session identifiers across authentication state changes, letting a remote attacker who can lure a victim into using an attacker-supplied session token take over the authenticated session. CVSS 8.8 reflects full confidentiality, integrity, and availability impact once hijacked, but no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Information Disclosure Session Fixation
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH This Week

Flag Forge is a Capture The Flag (CTF) platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

CSRF Session Fixation Flagforge
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Session Fixation vulnerability in Apache Tomcat via rewrite valve.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Information Disclosure Session Fixation +3
NVD
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

A vulnerability was detected in givanz Vvveb 1.0.6.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Session Fixation Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

CVE-2025-49812 is an HTTP request smuggling/desynchronization vulnerability in Apache HTTP Server's mod_ssl that allows man-in-the-middle attackers to hijack HTTPS sessions by exploiting improper handling of TLS upgrades. Only Apache HTTP Server versions through 2.4.63 with 'SSLEngine optional' configurations are affected, enabling session hijacking with high confidentiality and integrity impact. The vulnerability requires network-level access and careful timing but does not require user interaction or privileges; upgrade to 2.4.64 (which removes TLS upgrade support entirely) is the recommended mitigation.

Apache TLS Session Fixation +4
NVD
EPSS 0% CVSS 8.6
HIGH This Week

CVE-2025-52557 is a stored/reflected XSS vulnerability in Mail-0's Zero email solution (version 0.8) that allows unauthenticated attackers to craft malicious emails containing unexecuted JavaScript code. When a victim opens the email in the web interface, the JavaScript executes in their browser context, enabling session hijacking and potential account takeover. The vulnerability has been patched in version 0.81, and exploitation requires user interaction (opening the email), making it a moderate-to-high severity issue suitable for rapid patching.

Information Disclosure XSS Session Fixation
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC Act Now

A vulnerability was found in PHPGurukul Hostel Management System 2.1 in the /hostel/change-password.php file of the user panel - Change Password component. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Session Fixation PHP +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /loginsystem/change-password.php file of the user panel - Change Password component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Session Fixation PHP +1
NVD GitHub
EPSS 1% CVSS 8.2
HIGH This Week

This vulnerability exists in Meon KYC solutions due to improper handling of access and refresh tokens in certain API endpoints of authentication process. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Session Fixation Authentication Bypass
NVD
EPSS 12% CVSS 9.8
CRITICAL POC THREAT Emergency

Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session hijacking attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 11.5% and no vendor patch available.

Information Disclosure Session Fixation
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Improper session management in Elber REBLE310 Firmware v5.5.1.R , Equipment Model: REBLE310/RX10/4ASI allows attackers to execute a session hijacking attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation
NVD GitHub
EPSS 0% CVSS 2.3
LOW Monitor

Internet Starter, one of SoftCOM iKSORIS system modules, allows for setting an arbitrary session cookie value. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Iksoris
NVD
EPSS 0% CVSS 8.3
HIGH This Week

When configured using SAML, a session fixation vulnerability in the GlobalProtect™ login enables an attacker to impersonate a legitimate authorized user and perform actions as that GlobalProtect. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Paloalto
NVD
EPSS 0% CVSS 8.0
HIGH PATCH This Week

authentik is an open-source identity provider. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Session Fixation Authentik
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Session Fixation OVE-20230524-0004. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Vasion Print +1
NVD
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

Session Fixation Privilege Escalation Mattermost Server
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages with Watson Assistant chat feature enabled the application establishes a session when a user logs in and uses chat, but the chat session is still. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure IBM Session Fixation +1
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Tiny File Manager v2.4.7 and below is vulnerable to session fixation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Session Fixation Tiny File Manager
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

HCL iAutomate is affected by a session fixation vulnerability. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Session Fixation Dryice Iautomate
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

A UAA configured with multiple identity zones, does not properly validate session information across those zones. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation
NVD
EPSS 0% CVSS 9.3
CRITICAL This Week

A malicious actor can fix the session of a PAM user by tricking the user to click on a specially crafted link to the PAM server. Rated critical severity (CVSS 9.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

An improper session validation allows an unauthenticated attacker to cause certain request notifications to be executed in the context of an incorrect user by spoofing the client IP address. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation
NVD
EPSS 0% CVSS 7.1
HIGH This Month

Mailcow through 2024-11b has a session fixation vulnerability in the web panel. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL This Week

An issue in youdiancms v.9.5.20 and before allows a remote attacker to escalate privileges via the sessionID parameter in the index.php file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Session Fixation PHP +1
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

HCL MyXalytics is affected by a session fixation vulnerability. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Session Fixation Dryice Myxalytics
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

HCL MyXalytics is affected by a session fixation vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Session Fixation Dryice Myxalytics
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH This Week

Session Fixation vulnerability in Drupal Two-factor Authentication (TFA) allows Session Fixation.0.0 before 1.8.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Two Factor Authentication +1
NVD
EPSS 0% CVSS 5.7
MEDIUM This Month

Password Pusher is an open source application to communicate sensitive information over the web. Rated medium severity (CVSS 5.7). No vendor patch available.

Authentication Bypass XSS Session Fixation
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

An attacker who can spoof the IP address and the User-Agent of a logged-in user can takeover the session because of flaws in the self-developed session management. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Session Fixation Information Disclosure
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Session Fixation vulnerabilities allow an attacker to fix a users session identifier before login providing an opportunity for session takeover on a product. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Abb Session Fixation Information Disclosure +19
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Nginx +4
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

Session Fixation vulnerability in Apache Kylin.0.0 through 4.x. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Session Fixation Information Disclosure +1
NVD
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Umbraco is a free and open source .NET content management system. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Session Fixation Information Disclosure Umbraco Cms
NVD GitHub
EPSS 1% CVSS 6.9
MEDIUM POC This Month

A vulnerability classified as problematic has been found in PHPGurukul Boat Booking System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Boat Booking System
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Session Fixation vulnerability in Oceanic Software ValeApp allows Brute Force, Session Hijacking.0.0. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Valeapp
NVD VulDB
EPSS 0% CVSS 8.7
HIGH This Week

The H2-DM1E PLC's authentication protocol appears to utilize either a custom encoding scheme or a challenge-response protocol. Rated high severity (CVSS 8.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP2). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Sinema Remote Connect Server
NVD
EPSS 2% CVSS 7.1
HIGH PATCH This Month

A session fixation issue was discovered in the SAML adapters provided by Keycloak. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Session Fixation Information Disclosure Keycloak +2
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

An issue in Outline <= v0.76.1 allows attackers to execute a session hijacking attack via user interaction with a crafted magic sign-in link. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Outline
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions 2 and above. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Session Fixation Fiber
NVD GitHub
EPSS 0% CVSS 5.6
MEDIUM This Month

A session fixation vulnerability in Bludit allows an attacker to bypass the server's authentication if they can trick an administrator or any other user into authorizing a session ID of their. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Session Fixation Bludit
NVD
EPSS 1% CVSS 7.3
HIGH This Week

The application does not change the session token when using the login or logout functionality. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Session Fixation
NVD GitHub
EPSS 0% CVSS 4.2
MEDIUM POC PATCH This Month

A session fixation vulnerability exists in the zenml-io/zenml application, where JWT tokens used for user authentication are not invalidated upon logout. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Authentication Bypass Session Fixation Zenml
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Contao is an open source content management system. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity.

Session Fixation Information Disclosure Contao
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM POC PATCH This Month

Sunshine is a self-hosted game stream host for Moonlight. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. Public exploit code available.

Session Fixation Information Disclosure Sunshine
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM This Month

A vulnerability was found in Bdtask Wholesale Inventory Management System up to 20240311. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Session Hijack vulnerability in Deprecated VMware Enhanced Authentication Plug-in could allow a malicious actor with unprivileged local access to a windows operating system can hijack a privileged. Rated high severity (CVSS 7.8). No vendor patch available.

Information Disclosure Session Fixation VMware +1
NVD
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Graylog is a free and open log management platform. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable.

XSS Session Fixation Graylog
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Information Disclosure Xp
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

An issue was discovered on GL.iNet devices before version 4.5.0. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Session Fixation Gl Ax1800 Firmware +11
NVD GitHub
EPSS 0% CVSS 3.1
LOW POC Monitor

A vulnerability classified as problematic has been found in SourceCodester Engineers Online Portal 1.0. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Engineers Online Portal
NVD VulDB
EPSS 1% CVSS 8.1
HIGH This Week

A session hijacking vulnerability has been detected in the Imou Life application affecting version 6.7.0. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Imou Life
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Uptime Kuma is an easy-to-use self-hosted monitoring tool. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Session Fixation Authentication Bypass Dockge +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Session Fixation System Sentinel Anyware
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

PHP Information Disclosure Session Fixation +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Versions of Puppet Enterprise prior to 2021.7.6 and 2023.5 contain a flaw which results in broken session management for SAML implementations. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Puppet Enterprise
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Sielco PolyEco1000 is vulnerable to a session hijack vulnerability due to the cookie being vulnerable to a brute force attack, lack of SSL, and the session being visible in requests. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Polyeco500 Firmware +2
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

A session fixation vulnerability in South River Technologies' Titan MFT and Titan SFTP servers on Linux and Windows allows an attacker to bypass the server's authentication if they can trick an. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Session Fixation Microsoft +2
NVD
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy